Setup Sieve mail filter with Postfix and Dovecot

A mailbox can get flooded with many emails, some are automatically generated, others are related to orders. Sorting through emails on a daily basis can be a tedious task. Email filters can help automate the most common tasks. One of those filtering mechanisms is called “Sieve“. Sieve allows to sort emails as they arrive on the server.

There are many ways to sort through emails. Many email clients support some sort of rules which can be applied to the mailbox. When using multiple clients to check the mailbox, the client with the rules needs to run in order to apply the rules. In short, the rules are only applied when the client runs. A nicer way to apply rules, without involving a client, are server side rules. With Sieve, incoming emails are sorted right before they are placed in the inbox of the account.

Advertisements

The project Pigeonhole adds Sieve support to Dovecot. To allow the Sieve filters to be applied by Dovecot, the MTA (in this setup postfix) must be instructed to pass the email to Dovecot for final delivery. Dovecot can then run the mail through the Sieve filter and deliver the email to its destination mailbox.

Postfix should be configured at this point to deliver the emails locally. It is assumed the “mbox” format is used by Dovecot as described in the above articles. Now Dovecot’s “LMTP” (Local Mail Transfer Protocol) should take over the email for delivery. The Dovecot configuration files are split up in most distributions and located in a “conf.d/” subdirectory. The configuration for LMTP is distributed across multiple files which makes it necessary to edit multiple files to configure and activate it.

/etc/dovecot/dovecot.conf holds a list of enabled protocols. To enable LMTP, make sure the “lmtp” protocol is listed, along with any other protocols which should be enabled. In this example only imap and LMTP will be enabled.

# Protocols we want to be serving.
protocols = imap lmtp

/etc/dovecot/conf.d/10-master.conf contains the configuration for the LMTP service. The LMTP service is configured to provide a Unix socket for postfix to connect to. The permission and owner settings ensure that the postfix process can access the socket file. The path is chosen to be inside the postfix spooling directory. As “mbox” storage is used to store emails, LMTP requires “client_limit” to be set to “1”. This ensures only one client at a time will modify the mbox file. The same setting is required for the “imap” service as it is now also involved in the local email delivery.

For postfix to pass mails to Dovecot, the /etc/dovecot/conf.d/10-auth.conf file needs to be adjusted. The “auth_username_format” needs to adopted to ensure only the username part is used to authenticate via lmtp. The “%Ln” uses only the user part and converts it to lower case. In detail, “%n” removes the domain part if present and “%L”controls the conversion to lower case.

auth_username_format = %Ln

With Dovecot delivering the emails to their inbox, the “recipient_delimiter” must be set as it is in postfix to allow LMTP to properly extract the user part from the email address. Even though this setting is part of the sieve configuration file, it is also used by LMTP as the comment states. The /etc/dovecot/conf.d/90-sieve.conf contains the “recipient_delimiter” setting.

plugin {
# The separator that is expected between the :user and :detail
# address parts introduced by the subaddress extension. This may
# also be a sequence of characters (e.g. '--'). The current
# implementation looks for the separator from the left of the
# localpart and uses the first one encountered. The :user part is
# left of the separator and the :detail part is right. This setting
# is also used by Dovecot's LMTP service.
recipient_delimiter = +
...
}

As a final step to setup LMTP, postfix needs to be instructed to send incoming mails for local delivery to Dovecot via LMTP. Depending on the configuration of Postfix, the “local_transport” or the ” virtual_transport” must be set accordingly.

The “virtual_transport” is the default for final delivery to domains listed with virtual_mailbox_domains.

The “local_transport” is the default for final delivery to domains listed with mydestination.

In the described setup, the “local_transport” setting needs to be used for the delivery to lmtp. The Postfix transport setting delivers emails received by postfix to Dovecot’s lmtp unix socket.

To activate the changes, restart Dovecot and Postfix. Test the setup before continuing. If emails are not delivered via lmtp, the next step, where we include sieve in the delivery of the email, will not have any effect.

Setup Sieve with Dovcecot

Sieve is an email filtering language specified in RFC5228 and also described on sieve.info. The sieve filter allows you to create rules on the server which are applied when the email is delivered. Emails can be matched against rules, and the related action can mark emails or just deliver them to a different destination folder of the user’s IMAP folder structure.

The rules are written in the sieve language and stored in the email user’s home directory. This is where the sieve implementation, “dovecot-pigeonhole”, will read the filter configuration from. To install dovecot-pigeonhole, the sieve plugin for Dovecot, the following package needs to be installed.

$ yum install dovecot-pigeonhole

The additional configuration files for sieve/pigeonhole can then be found in the Dovecot configuration directory. The /etc/dovecot/conf.d/90-sieve.conf file contains the “sieve” setting which controls which file should contain the user’s rules.

The second configuration file, /etc/dovecot/conf.d/20-lmtp.conf, enables the sieve plugin for the lmtp protocol. These settings configure the sieve filter into the delivery process so that the rules can be applied.

To load the changes in the configuration files and to activate the installed sieve plugin, dovecot needs to be restarted.

Testing Sieve Setup

When the above configuration is active, it is time to test the setup. I suggest creating a first Sieve filter. The filter should be written in a way to be able to test it by sending an email to yourself.

Example filters can be found at Pigeonhole Sieve examples. This page contains a number of very usefull examples showing many features and use-cases.

To test the basic functionality of the configured sieve filter, I suggest a simple filter. The following filter uses the “envelope” and the “imap4flags” extensions. The if-statement will match only when the received email is sent “from” the mentioned email address and contains the mentioned string in the “subject”.

When the if-conditions match, three actions will be executed. First, the flag “\\seen” is set which marks the email as read. “\\Flagged” sets the flagged state for the email. The flagged status of a message is not shown in the same way by all mail clients. Some might not even show it at all.

Adjust the if-condition to match the email address used to test the setup and send an email. The message should arrive in the inbox already marked as read and with the flagged status.

Troubleshoot Sieve and LMTP

When a sieve filter does not behave as expected, additional logging can be enabled in the /etc/dovecot/config.d/10-logging.conf configuration file. The setting to enable more logging is called “mail_debug”.

Manage rules with ManageSieve

Writing and managing the rule file on the server might not be very convenient. The ManageSieve extension tries to provide a way to write rules within an email client.

The ManageSieve protocol is specified in RFC 5804. There is a Thunderbird Sieve extension implementing the ManageSieve protocol allowing you to manage the rules from the mail client.

The managesieve protocol must be enabled and configured. In the /etc/dovecot/conf.d/20-managesieve.conf managesieve can be enabled with its port set to 4190 (port 2000 is the old manage sieve port, 4190 is the new one).

After the protocol is enabled, it needs to be configured. The following setting in /etc/dovecot/conf.d/10-auth.conf ensures that password authentication is only available via TLS as transport encryption.

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
disable_plaintext_auth = yes

Restart dovecot to activate managesieve. Verify that the managesieve service was activated successfully by checking dovecot’s listening ports.